Dec 9 2019

Decision in Facebook Class Action Highlights the Importance of Strong Expert Witnesses in Data Breach Litigation

“Even a good expert can do a bad job.” These are the words of US District Judge William Alsup of the Northern District of California from his November 26, 2019 decision in the matter of Adkins v. Facebook, Inc., 18-05982-WHA. Judge Alsup granted a Daubert motion filed by Facebook to exclude the expert testimony of the plaintiff’s identity theft expert, James Van Dyke. In granting the motion, Judge Alsup’s analysis underscored the importance of strong expert testimony, especially in the context of data breach litigation.

In September 2018, hackers stole information from approximately 29 million Facebook users worldwide, including about 4 million in the United States. The basic mechanics of the hack were as follows. Three features on Facebook’s platform interacted to make “access tokens” visible. Access tokens are similar to a password and permit a user entry to his or her account. When an access token became visible, the account was vulnerable. The access token vulnerability permitted the hackers unauthorized entry into 300,000 accounts. This was only the first step. Next, from within the 300,000 accounts, the hackers ran two search queries. The first yielded a combination of names, telephone numbers, and email addresses of 15 million users worldwide, 2.7 million of which were in the United States. The second yielded more sensitive information, such as names, telephone numbers, email addresses, gender, date of birth, and if populated, workplace, education, relationship status, religious views, hometown, self-reported current city, and website, on 14 million users worldwide, 1.2 million of which were in the United States. Further, with respect to the second group, the hackers also obtained the users’ locale and language, the type of device used to access Facebook, the last ten places the user was “tagged” or “checked in” on Facebook, the people or pages on Facebook followed by the user, and the user’s fifteen most recent searches with the Facebook search bar. The 300,000 users whose accounts were hacked had the same information stolen as the second group.

The plaintiff proffered expert testimony from Van Dyke in support of his claims. Specifically, it appears that the plaintiff intended to use Van Dyke’s testimony to help establish the concrete harm and damages the plaintiff suffered as a result of the breach. The landmark Supreme Court case Daubert v. Merrell Dow Pharmaceuticals (1993) designated the trial judge as the “gatekeeper” to ensure not only that scientific evidence is relevant but also that it is reliable. In evaluating the reliability of scientific expert evidence, a judge will consider factors such as testing, peer review, error rates, and general acceptance in the scientific community. In his decision, Judge Alsup skewered Van Dyke and found his methodology unreliable. Stating that Van Dyke “cherry-picked his own prior expert opinions,” the Court cited a portion of Van Dyke’s report from the Anthem data breach case and compared it to a portion of text from his report in the Adkins matter.

From Anthem:

“More damaging forms of misuse often result from criminals amassing more elements of any one consumer’s data—akin to assembling all pieces of a puzzle, with the social security number being a key foundational element. As an example . . . .” (emphasis added by Judge Alsup).

From Adkins:

“More damaging forms of misuse often result from criminals amassing more elements of any one consumer’s data—akin to assembling all pieces of a puzzle. As an example . . . .”

The plaintiff sought to minimize the significance of this similar language. The plaintiff noted that the reason the sentence about social security numbers is omitted from the paragraph in Adkins is the fact that social security numbers were not part of the Facebook breach. Judge Alsup stated that the plaintiff’s argument misses the point: “The point is that the social security numbers ranked as ‘key’—until this case, where they weren’t stolen, so the ‘key’ element got removed. This inconsistency means that Van Dyke says whatever is convenient to the case at hand.” Judge Alsup criticized other aspects of Van Dyke’s report as well. Van Dyke referred to the theft of maiden names, yet maiden names were not part of the breach. Van Dyke later conceded that this “was a mistake.” Van Dyke also discussed the theft of mailing addresses, internet protocol addresses, and the names of family members, all of which were not part of the Facebook breach. Additionally, Van Dyke wrote that he was retained by plaintiff’s counsel in March 2018, however, this seems impossible, as the breach occurred in September 2018.

In a reply declaration, Van Dyke purportedly used a “beta” “proprietary algorithm” to generate a “risk level” of 6 out of 10 for the Facebook breach. By deposing Van Dyke, Facebook discovered that Van Dyke generated this rating by including information that was not actually compromised in the breach. When the correct information was inputted, the risk level fell below 2 out of 10. Van Dyke’s own website said that a breach registering as less than a 2 out of 10 risk level does not warrant any consumer action, a conclusion that “squarely conflicts” with Van Dyke’s expert testimony submitted on the plaintiff’s behalf.

The plaintiff asked the court to disregard these errors and argued that Van Dyke’s testimony was based on his knowledge and experience in the field of consumer identity fraud. Nevertheless, the Court concluded that Van Dyke’s report was simply “too flawed.” Concluding that the vast majority of the report was boilerplate from other cases, that it lacked sufficient analysis, and that it contained too many errors to be reliable, Judge Alsup granted Facebook’s motion to strike Van Dyke’s report.

Judge Alsup’s decision to strike Van Dyke’s report highlights the importance of strong expert witnesses, especially in data breach litigation. It is imperative for counsel to not only carefully and thoroughly vet potential expert witnesses, but also to review the expert’s work to ensure quality control. Counsel should proactively question the expert’s conclusions and probe for potential flaws or weaknesses. In the event that flaws are identified, the expert could seek to amend the report. In the case of a particularly flawed report, even if there is a sunk cost associated with the portion of the expert’s fee already paid or due, counsel should consider whether to replace the expert. In this regard, it would be far better to replace an unreliable expert early rather than relying on the expert’s flawed analysis to build a case and for that same flawed analysis to be so fully rejected by the court later. Depending on the significance of the expert’s analysis to the party’s case, preclusion of the expert’s testimony may well portend failure at trial.

Tagged under

cyber

Back to the Blog